New pki-server CLI commands have been added to simplify
inspecting the audit log files on the server.
Pushed to master under trivial rule.
--
Endi S. Dewata
>From d8081073d10065987341a6583a6a7e7351b22438 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edew...@redhat.com>
Date: Tue, 11 Apr 2017 18:04:41 +0200
Subject: [PATCH] Added pki-server <subsystem>-audit-file-find CLI.
A new pki-server <subsystem>-audit-file-find CLI has been added
to list audit log files on the server.
Change-Id: I88e827d45cfb83cf34052146e2ec678f4cd2345f
---
base/server/python/pki/server/__init__.py | 14 ++++
base/server/python/pki/server/cli/audit.py | 109 +++++++++++++++++++++++++++++
base/server/python/pki/server/cli/ca.py | 2 +
base/server/python/pki/server/cli/kra.py | 2 +
base/server/python/pki/server/cli/ocsp.py | 2 +
base/server/python/pki/server/cli/tks.py | 2 +
base/server/python/pki/server/cli/tps.py | 2 +
7 files changed, 133 insertions(+)
create mode 100644 base/server/python/pki/server/cli/audit.py
diff --git a/base/server/python/pki/server/__init__.py b/base/server/python/pki/server/__init__.py
index 5032274705744290313b29e878721c638909bc57..112dcbff3625c752d6130b847d4448799e8c8224 100644
--- a/base/server/python/pki/server/__init__.py
+++ b/base/server/python/pki/server/__init__.py
@@ -389,6 +389,20 @@ class PKISubsystem(object):
pki.util.customize_file(input_file, output_file, params)
+ def get_audit_log_files(self):
+
+ current_file_path = self.config['log.instance.SignedAudit.fileName']
+ (log_dir, current_file) = os.path.split(current_file_path)
+
+ # sort log files based on timestamp
+ files = [f for f in os.listdir(log_dir) if f != current_file]
+ files.sort()
+
+ # put the current log file at the end
+ files.append(current_file)
+
+ return files
+
def __repr__(self):
return str(self.instance) + '/' + self.name
diff --git a/base/server/python/pki/server/cli/audit.py b/base/server/python/pki/server/cli/audit.py
new file mode 100644
index 0000000000000000000000000000000000000000..3bb9d5f0f68748797d9809b0d3e93952c5cd2d5d
--- /dev/null
+++ b/base/server/python/pki/server/cli/audit.py
@@ -0,0 +1,109 @@
+# Authors:
+# Endi S. Dewata <edew...@redhat.com>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2017 Red Hat, Inc.
+# All rights reserved.
+#
+
+from __future__ import absolute_import
+from __future__ import print_function
+import getopt
+import sys
+
+import pki.cli
+
+
+class AuditCLI(pki.cli.CLI):
+
+ def __init__(self, parent):
+ super(AuditCLI, self).__init__(
+ 'audit', 'Audit management commands')
+
+ self.parent = parent
+ self.add_module(AuditFileFindCLI(self))
+
+
+class AuditFileFindCLI(pki.cli.CLI):
+
+ def __init__(self, parent):
+ super(AuditFileFindCLI, self).__init__(
+ 'file-find', 'Find audit log files')
+
+ self.parent = parent
+
+ def print_help(self):
+ print('Usage: pki-server %s-audit-file-find [OPTIONS]' % self.parent.parent.name)
+ print()
+ print(' -i, --instance <instance ID> Instance ID (default: pki-tomcat).')
+ print(' --help Show help message.')
+ print()
+
+ def execute(self, args):
+
+ try:
+ opts, _ = getopt.gnu_getopt(args, 'i:v', [
+ 'instance=',
+ 'verbose', 'help'])
+
+ except getopt.GetoptError as e:
+ print('ERROR: ' + str(e))
+ self.print_help()
+ sys.exit(1)
+
+ instance_name = 'pki-tomcat'
+
+ for o, a in opts:
+ if o in ('-i', '--instance'):
+ instance_name = a
+
+ elif o in ('-v', '--verbose'):
+ self.set_verbose(True)
+
+ elif o == '--help':
+ self.print_help()
+ sys.exit()
+
+ else:
+ print('ERROR: unknown option ' + o)
+ self.print_help()
+ sys.exit(1)
+
+ instance = pki.server.PKIInstance(instance_name)
+ if not instance.is_valid():
+ print('ERROR: Invalid instance %s.' % instance_name)
+ sys.exit(1)
+
+ instance.load()
+
+ subsystem_name = self.parent.parent.name
+ subsystem = instance.get_subsystem(subsystem_name)
+ if not subsystem:
+ print('ERROR: No %s subsystem in instance %s.'
+ % (subsystem_name.upper(), instance_name))
+ sys.exit(1)
+
+ log_files = subsystem.get_audit_log_files()
+
+ self.print_message('%s entries matched' % len(log_files))
+
+ first = True
+ for filename in log_files:
+ if first:
+ first = False
+ else:
+ print()
+
+ print(' File name: %s' % filename)
diff --git a/base/server/python/pki/server/cli/ca.py b/base/server/python/pki/server/cli/ca.py
index 1d1c00f0f977d63066d68a9ae960aefcd183ad13..550e5110aac9f443819c50eab313ee399c86e6a7 100644
--- a/base/server/python/pki/server/cli/ca.py
+++ b/base/server/python/pki/server/cli/ca.py
@@ -28,6 +28,7 @@ import sys
import tempfile
import pki.cli
+import pki.server.cli.audit
class CACLI(pki.cli.CLI):
@@ -38,6 +39,7 @@ class CACLI(pki.cli.CLI):
self.add_module(CACertCLI())
self.add_module(CACloneCLI())
+ self.add_module(pki.server.cli.audit.AuditCLI(self))
class CACertCLI(pki.cli.CLI):
diff --git a/base/server/python/pki/server/cli/kra.py b/base/server/python/pki/server/cli/kra.py
index 5558d6a00bc111410306e7fc23999af2b2dbf845..3724014652762a92e82071cc5d805dfcb39422df 100644
--- a/base/server/python/pki/server/cli/kra.py
+++ b/base/server/python/pki/server/cli/kra.py
@@ -32,6 +32,7 @@ import tempfile
import time
import pki.cli
+import pki.server.cli.audit
KRA_VLVS = ['allKeys', 'kraAll',
@@ -51,6 +52,7 @@ class KRACLI(pki.cli.CLI):
self.add_module(KRACloneCLI())
self.add_module(KRADBCLI())
+ self.add_module(pki.server.cli.audit.AuditCLI(self))
class KRACloneCLI(pki.cli.CLI):
diff --git a/base/server/python/pki/server/cli/ocsp.py b/base/server/python/pki/server/cli/ocsp.py
index 246f5932dc839d2be1207d8e67e46f1b5e5182b3..3e9b6aa64773f76a3fea795af2f6d94abcc73ef6 100644
--- a/base/server/python/pki/server/cli/ocsp.py
+++ b/base/server/python/pki/server/cli/ocsp.py
@@ -28,6 +28,7 @@ import sys
import tempfile
import pki.cli
+import pki.server.cli.audit
class OCSPCLI(pki.cli.CLI):
@@ -37,6 +38,7 @@ class OCSPCLI(pki.cli.CLI):
'ocsp', 'OCSP management commands')
self.add_module(OCSPCloneCLI())
+ self.add_module(pki.server.cli.audit.AuditCLI(self))
class OCSPCloneCLI(pki.cli.CLI):
diff --git a/base/server/python/pki/server/cli/tks.py b/base/server/python/pki/server/cli/tks.py
index 2c4157a03bc601c36141f67880fe7624aa1febee..0e6a998f776a4943b9b1daf0f51e5944a7cceb55 100644
--- a/base/server/python/pki/server/cli/tks.py
+++ b/base/server/python/pki/server/cli/tks.py
@@ -28,6 +28,7 @@ import sys
import tempfile
import pki.cli
+import pki.server.cli.audit
class TKSCLI(pki.cli.CLI):
@@ -37,6 +38,7 @@ class TKSCLI(pki.cli.CLI):
'tks', 'TKS management commands')
self.add_module(TKSCloneCLI())
+ self.add_module(pki.server.cli.audit.AuditCLI(self))
class TKSCloneCLI(pki.cli.CLI):
diff --git a/base/server/python/pki/server/cli/tps.py b/base/server/python/pki/server/cli/tps.py
index 1f71b8ece1431426d865d7e98fa87e5417beb36c..03df8de96e7c711288f5fa386b16c2704fb755b7 100644
--- a/base/server/python/pki/server/cli/tps.py
+++ b/base/server/python/pki/server/cli/tps.py
@@ -32,6 +32,7 @@ import tempfile
import time
import pki.cli
+import pki.server.cli.audit
TPS_VLV_PATH = '/usr/share/pki/tps/conf/vlv.ldif'
@@ -46,6 +47,7 @@ class TPSCLI(pki.cli.CLI):
self.add_module(TPSCloneCLI())
self.add_module(TPSDBCLI())
+ self.add_module(pki.server.cli.audit.AuditCLI(self))
class TPSCloneCLI(pki.cli.CLI):
--
2.9.3
>From a29888e42c14c9c7e642769b747bb288d39a0809 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edew...@redhat.com>
Date: Tue, 11 Apr 2017 18:04:41 +0200
Subject: [PATCH] Added pki-server <subsystem>-audit-file-verify CLI.
A new pki-server <subsystem>-audit-file-verify CLI has been added
to verify audit log files on the server.
Change-Id: I88e827d45cfb83cf34052146e2ec678f4cd2345f
---
base/server/python/pki/server/__init__.py | 5 ++
base/server/python/pki/server/cli/audit.py | 91 ++++++++++++++++++++++++++++++
2 files changed, 96 insertions(+)
diff --git a/base/server/python/pki/server/__init__.py b/base/server/python/pki/server/__init__.py
index 112dcbff3625c752d6130b847d4448799e8c8224..88986548df323484117be829dd25e459050de2ac 100644
--- a/base/server/python/pki/server/__init__.py
+++ b/base/server/python/pki/server/__init__.py
@@ -389,6 +389,11 @@ class PKISubsystem(object):
pki.util.customize_file(input_file, output_file, params)
+ def get_audit_log_dir(self):
+
+ current_file_path = self.config['log.instance.SignedAudit.fileName']
+ return os.path.dirname(current_file_path)
+
def get_audit_log_files(self):
current_file_path = self.config['log.instance.SignedAudit.fileName']
diff --git a/base/server/python/pki/server/cli/audit.py b/base/server/python/pki/server/cli/audit.py
index 3bb9d5f0f68748797d9809b0d3e93952c5cd2d5d..0833ca816aef852ac155c4cfce90599a37c9fdb4 100644
--- a/base/server/python/pki/server/cli/audit.py
+++ b/base/server/python/pki/server/cli/audit.py
@@ -21,7 +21,11 @@
from __future__ import absolute_import
from __future__ import print_function
import getopt
+import os
+import shutil
+import subprocess
import sys
+import tempfile
import pki.cli
@@ -34,6 +38,7 @@ class AuditCLI(pki.cli.CLI):
self.parent = parent
self.add_module(AuditFileFindCLI(self))
+ self.add_module(AuditFileVerifyCLI(self))
class AuditFileFindCLI(pki.cli.CLI):
@@ -107,3 +112,89 @@ class AuditFileFindCLI(pki.cli.CLI):
print()
print(' File name: %s' % filename)
+
+
+class AuditFileVerifyCLI(pki.cli.CLI):
+
+ def __init__(self, parent):
+ super(AuditFileVerifyCLI, self).__init__(
+ 'file-verify', 'Verify audit log files')
+
+ self.parent = parent
+
+ def print_help(self):
+ print('Usage: pki-server %s-audit-file-verify [OPTIONS]' % self.parent.parent.name)
+ print()
+ print(' -i, --instance <instance ID> Instance ID (default: pki-tomcat).')
+ print(' --help Show help message.')
+ print()
+
+ def execute(self, args):
+
+ try:
+ opts, _ = getopt.gnu_getopt(args, 'i:v', [
+ 'instance=',
+ 'verbose', 'help'])
+
+ except getopt.GetoptError as e:
+ print('ERROR: ' + str(e))
+ self.print_help()
+ sys.exit(1)
+
+ instance_name = 'pki-tomcat'
+
+ for o, a in opts:
+ if o in ('-i', '--instance'):
+ instance_name = a
+
+ elif o in ('-v', '--verbose'):
+ self.set_verbose(True)
+
+ elif o == '--help':
+ self.print_help()
+ sys.exit()
+
+ else:
+ print('ERROR: unknown option ' + o)
+ self.print_help()
+ sys.exit(1)
+
+ instance = pki.server.PKIInstance(instance_name)
+ if not instance.is_valid():
+ print('ERROR: Invalid instance %s.' % instance_name)
+ sys.exit(1)
+
+ instance.load()
+
+ subsystem_name = self.parent.parent.name
+ subsystem = instance.get_subsystem(subsystem_name)
+ if not subsystem:
+ print('ERROR: No %s subsystem in instance %s.'
+ % (subsystem_name.upper(), instance_name))
+ sys.exit(1)
+
+ log_dir = subsystem.get_audit_log_dir()
+ log_files = subsystem.get_audit_log_files()
+ signing_cert = subsystem.get_subsystem_cert('audit_signing')
+
+ tmpdir = tempfile.mkdtemp()
+
+ try:
+ file_list = os.path.join(tmpdir, 'audit.txt')
+
+ with open(file_list, 'w') as f:
+ for filename in log_files:
+ f.write(os.path.join(log_dir, filename) + '\n')
+
+ cmd = ['AuditVerify',
+ '-d', instance.nssdb_dir,
+ '-n', signing_cert['nickname'],
+ '-a', file_list]
+
+ if self.verbose:
+ print('Command: %s' % ' '.join(cmd))
+
+ subprocess.call(cmd)
+
+ finally:
+ shutil.rmtree(tmpdir)
--
2.9.3
_______________________________________________
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel
